Fix exception handling and add tests

Per [0], fernet decrypt can never throw an InvalidSignature exception as that
is re-raised as InvalidToken. This patch set corrects the handling of the
exception, and added additional unit tests for coverage.

[0] https://cryptography.io/en/latest/fernet/#cryptography.fernet.Fernet.decrypt

Co-Authored-By: Drew Walters <drewwalters96@gmail.com>
Change-Id: Ic5ee7ef451a5657519c5397fc4b903b5adcb1d18
Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam 2019-02-03 00:28:51 -06:00
parent 1aa46d77af
commit aa241081c9
5 changed files with 59 additions and 9 deletions

View File

@ -15,8 +15,7 @@
import base64
import logging
from cryptography.exceptions import InvalidSignature
from cryptography.fernet import Fernet
from cryptography import fernet
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
@ -57,8 +56,8 @@ def encrypt(unencrypted_data,
:rtype: bytes
"""
return Fernet(_generate_key(passphrase, salt, key_length,
iterations)).encrypt(unencrypted_data)
return fernet.Fernet(_generate_key(
passphrase, salt, key_length, iterations)).encrypt(unencrypted_data)
def decrypt(encrypted_data,
@ -88,14 +87,14 @@ def decrypt(encrypted_data,
:type iterations: positive integer.
:return: Decrypted secret data
:rtype: bytes
:raises InvalidSignature: If the provided passphrase, and/or
:raises InvalidToken: If the provided passphrase, and/or
salt does not match the values used to encrypt the data.
"""
try:
return Fernet(_generate_key(passphrase, salt, key_length,
iterations)).decrypt(encrypted_data)
except InvalidSignature:
return fernet.Fernet(_generate_key(
passphrase, salt, key_length, iterations)).decrypt(encrypted_data)
except fernet.InvalidToken:
LOG.error('Signature verification to decrypt secrets failed. Please '
'check your provided passphrase and salt and try again.')
raise

View File

@ -1,6 +1,7 @@
# Testing
pytest==3.2.1
pytest-cov==2.5.1
testfixtures
mock==2.0.0
# Formatting

View File

@ -14,9 +14,13 @@
import os
import tempfile
import uuid
from cryptography import fernet
import mock
import pytest
import string
from testfixtures import log_capture
import yaml
from pegleg.engine.util.cryptostring import CryptoString
@ -176,3 +180,23 @@ def test_generate_passphrases(*_):
assert len(decrypted_passphrase) == 25
else:
assert len(decrypted_passphrase) == 24
@log_capture()
def test_generate_passphrases_exception(capture):
unenc_data = uuid.uuid4().bytes
passphrase1 = uuid.uuid4().bytes
passphrase2 = uuid.uuid4().bytes
salt1 = uuid.uuid4().bytes
salt2 = uuid.uuid4().bytes
# Generate random data and encrypt it
enc_data = encryption.encrypt(unenc_data, passphrase1, salt1)
# Decrypt using the wrong key to see to see the InvalidToken error
with pytest.raises(fernet.InvalidToken):
encryption.decrypt(enc_data, passphrase2, salt2)
capture.check(('pegleg.engine.util.encryption', 'ERROR',
('Signature verification to decrypt secrets failed. '
'Please check your provided passphrase and salt and '
'try again.')))

View File

@ -0,0 +1,26 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import logging
import pytest
from testfixtures import log_capture
from pegleg.engine import exceptions as exc
@log_capture()
def test_exception_with_missing_kwargs(capture):
message = 'Testing missing kwargs exception with {text}'
with pytest.raises(exc.PeglegBaseException):
raise exc.PeglegBaseException(message=message, key="value")
capture.check(('pegleg.engine.exceptions', 'WARNING', 'Missing kwargs'))

View File

@ -60,7 +60,7 @@ commands =
{toxinidir}/tools/install-cfssl.sh
bash -c 'PATH=$PATH:~/.local/bin; pytest --cov=pegleg --cov-report \
html:cover --cov-report xml:cover/coverage.xml --cov-report term \
--cov-fail-under 84 tests/'
--cov-fail-under 86 tests/'
whitelist_externals =
bash